It looks like something has changed recently on the security front. All of our integrations attempting to authenticate via the /oauth/token endpoint are failing. Furthermore, our testing shows that this isn't isolated to authentication; the issue is also affecting public endpoints that do not require a token.
We haven't made any modifications on our end, but our diagnostics show that Akamai is blocking the traffic entirely. The requests are being rejected at the CDN/WAF level and are not even reaching APEX.
Interestingly, the only requests successfully getting through in our testing are those sent via Postman. To isolate the issue, we tested requesting the endpoints using a Node.js proxy with a headless browser to see if the block was specifically targeting requests made via standard OpenSSL. Our tests confirmed that using this proxy bypassed the block and the requests worked, but this is obviously not a viable workaround; we only did this to validate our theory.
Is anyone else experiencing similar issues with Akamai blocking both authenticated and public APEX requests? I haven't seen any reports or posts about recent rule changes regarding this.
Any help or insight here would be greatly appreciated!